Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 07:11
Static task
static1
Behavioral task
behavioral1
Sample
9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe
-
Size
2.6MB
-
MD5
9218265fb231290964c8f92d64cf2f50
-
SHA1
f521242e65fd3250e3ae999b05f831b53e593838
-
SHA256
efdbbfd33878cec186fd94c28f219be1af51df0db664e3c290e7545f77b33c9e
-
SHA512
ac501c8265c6df08fa7a4f45444d06f798350f3a6de35442dbcb84b00047ca53f17c703ac39fc9ab5714871ec3e0e04bdb1223eeeb88301f59e7ec5e8603373e
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpeb
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
sysdevopti.exexdobsys.exepid Process 2204 sysdevopti.exe 1208 xdobsys.exe -
Loads dropped DLL 2 IoCs
Processes:
9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exepid Process 2928 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe 2928 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesHE\\xdobsys.exe" 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZSD\\dobxsys.exe" 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exesysdevopti.exexdobsys.exepid Process 2928 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe 2928 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe 2204 sysdevopti.exe 1208 xdobsys.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exedescription pid Process procid_target PID 2928 wrote to memory of 2204 2928 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe 28 PID 2928 wrote to memory of 2204 2928 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe 28 PID 2928 wrote to memory of 2204 2928 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe 28 PID 2928 wrote to memory of 2204 2928 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe 28 PID 2928 wrote to memory of 1208 2928 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe 29 PID 2928 wrote to memory of 1208 2928 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe 29 PID 2928 wrote to memory of 1208 2928 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe 29 PID 2928 wrote to memory of 1208 2928 9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2204
-
-
C:\FilesHE\xdobsys.exeC:\FilesHE\xdobsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1208
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD53af6c98cde4ad21d6decbf70eb30936b
SHA11b0135ad6a26a7a765e13888afdc568f1771ff0c
SHA256917da62a00fbddd515e1e38c159e3004390807ba8d00ded61e36e52e6d58878c
SHA512dbfe93c53f45cad57d916787a7730efda67c838b4888a1b5f118d82c80cd28f9e3fa56f59bdb26a22cef3828a0a693c11b559b9c647677672deee254220ac989
-
Filesize
2.6MB
MD5dda011c7fcfa573da1bd6921cd6d1783
SHA17432d2803ba1db78287b9b90eacdd800cb8a256e
SHA2566bd62d8c0857bd53bae90684dc830c243ed5d43f21534dcee414f790e1d7e72c
SHA512ab7d5e7765f7f9f55919d835163cfc190fe85c7bf34e202e0976ae5d1e28652432029a19b8dd5548bfdee16acab20f99d932b4dc33e59ac4a152927abe02759c
-
Filesize
27KB
MD59066f9da2f6e14f558228b695e72cbf2
SHA191038a2a5cdbee686253b1163db1462b67afdc3e
SHA256afcec9da3d6ab02251f8cfb55fdbb99d8a48092388bebeb354a5ecbedcca04c4
SHA51241a27889d2f9e9fe12ceb02ebb86a9a7b9be8a9c8b34ddf510ffdc5876880d78e33cc31be4832bd57fa4af876e75459907f209f89f94d42328c4aa001f56117d
-
Filesize
171B
MD50e0023155685f24775b075491b8a142c
SHA10c504c627013fdbb406bb9b3900cd580aa7282f4
SHA256884f606c8d089a07250b090097eaa195d77ae286a8a28192cc2edb85e7338dd1
SHA512860740fb9d0d61f4690f77fbadf15b880000a6ab721c6ea07d6533cb2003c6bc5501deb4ddfa41b92a7a281b9b4651a401db6905226e65e7544f6dc69e2ff845
-
Filesize
203B
MD5c73491ecb6955ef78e3649e30046eee7
SHA1abd61f8cec8deba33164bd7250e21f2b11d2b991
SHA256c95fe04a2d15fd3b6620f720a2c51cb3a4114372c933921dcedf3915c8f94dc6
SHA512b2056c7c8a37c9d9aafe0767fe7cd0def0ec7a1164ea60a5c11dcf8b3fba40251e71374353d8638f00c404b97ab989108b3b87c629a1355f2b820e5945ee7980
-
Filesize
2.6MB
MD503a4f5e48d6a555bad1a7630ab10d4b9
SHA1eee4f3c636ca33b71916bc31ae863c1ca656c7c1
SHA25660b002858983e8c8e3f087a047025fd5f30a39683728ce0952c11084ac59816e
SHA5121d431585d80b88b2f3731e8d61658607c9075d336864571ec2c749b59960227243862912c238657dda7debd99520f7ec3d5ca043f14a7879609341aebeeec024